Selective wireless disablement for computers passing through a security checkpoint

ABSTRACT

A security system for computers defines a control zone using radiation, preferably at radio frequency, having a distinctive characteristic, such as a particular frequency. The zone may be established, for example, at a door exit or other limited passage to a secured area. The radiation triggers a device in the computer that in turn sends out a serial number signal. To further prevent unauthorized removal a personal identification number is required of the person in the zone with the computer, either by key input or an encoded radio signal. A receiver located near the control zone applies the serial number to a table look up computer that triggers an emergency signal if a match to an authorized list of serial numbers for the computer and corresponding person does not occur. The emergency signal activates a transmitter that sends out an emergency radiation signal with a different distinctive characteristic. A second receiver in the computer then responds to the emergency radiation signal to trigger the security logic to render the computer inoperative.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation in part of U.S. patent applicationSer. No. 08/640366 filed Apr. 30, 1996, entitled “Personal ComputerSystem With Security Feature now, U.S. Pat. No. 5,970,227”, thedisclosure of which is hereby incorporated by reference.

The invention described herein is related to that described in U.S. Pat.No. 5,388,156, to that described in U.S. application Ser. No. 07/889,325filed May 22, 1992, entitled “Trusted Personal Computer System WithLimited Accessibility” now U.S. Pat. No. 5,712,973 and to that describedin U.S. Pat. No. 5,574,786 entitled “Securing Trusted Personal ComputerSystem Against Unauthorized Movement,” all of which are held in commonownership with this invention.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates in general to security for computer systems and,in particular, to a security system for computers, such as laptopcomputers, that are moved past a checkpoint.

2. Description of the Prior Art

Personal computer systems have attained widespread use for providingcomputer power to many segments of today's modern society. Personalcomputer systems can usually be defined as a desk top, floor standing,or portable microcomputer that consists of a system unit having at leastone system processor and associated volatile and non-volatile memory, adisplay monitor, a keyboard, one or more diskette drives, a fixed diskstorage, and an optional printer. One of the distinguishingcharacteristics of these systems is the use of a motherboard (also knownas and occasionally mentioned herein as a system board, system planar orplanar) to electrically connect these components together. These systemsare designed primarily to give independent computing power to a singleuser and are inexpensively priced for purchase by individuals or smallbusinesses. Examples of such personal computer systems are IBM'sPERSONAL SYSTEM/2 Models 90 and 95, IBM PC 300 series, and Think Padseries.

Advances in technology are resulting in smaller form factors for desktopand portable systems. Portables are designed to fit into a standardbrief case and some of the small form desktop could also fit into alarge brief case. The small size combined with the tremendous computingpower has made these computers a target for thieves. This coupled withthe growing use of personal computers in the world in recent years,resulting in more information being collected and stored in suchsystems, has created a security risk. Many computers contain data thatis either sensitive to an individual or to a company. In the wronghands, this data could become damaging to individuals, a company couldlose a competitive edge, or sensitive data could be used to forcepayment for silence. As more users recognize the sensitive nature ofdata and its value, the more it becomes desirable to protect againstsuch misuse. To protect themselves and the persons associated with thestored data, users are requiring incorporation of security and integrityfeatures into the personal computers that they purchase.

Users are not the only people to recognize the sensitivity of the databeing collected and stored. Governments are also enacting laws toenforce protection of sensitive data. One such government is that of theUnited States. It has recognized and responded to the gravity of thesituation. The United States federal government has defined securitylevels and the associated requirements it takes to meet those levels,and provides a certification agency for personal computer manufacturersto submit products in order to see if the products meet the securitylevel claimed by the manufacturer. The source for the FederalRequirements is the Department of Defense, Trusted Computer SystemEvaluation Criteria, DOD 5200.28 STD, 12/85, generally referred to asThe Orange Book. The government has legislated that by Jan. 1, 1992 alldata related to the government must only be processed and stored onpersonal computers with a minimum security level of C-2. For computersystem hardware, the essence of the requirements is contained in theAssurance section, Requirement 6: “trusted mechanisms must becontinuously protected against tampering and/or unauthorized changes . ..”

The related Application Ser. No. 840,965 describes a personal computerproviding means for limiting access to certain critical data to onlythose users having a proper privilege to access such data. In realizingthis purpose, a specialized memory element is provided for receiving andstoring a Power On Password and a Privileged Access Password (sometimeshereinafter called a “POP” and a “PAP” respectively) and forcoordinating the access granted to various functions and data to theactivation and usage of the passwords. The related Application Ser. No.08/640366 filed Apr. 30, 1996 describes a security system for computersthat defines a control zone using radiation, preferably at radiofrequency, having a distinctive characteristic, such as a particularfrequency. The zone may be established, for example, at a door exit orother limited passage to a secured area. Thus use of such systemsprovides protection of physical assets and data but is too restrictivefor use in mobile computers. The system may be adapted to selectivelyallow activation or deactivation of security measures should thecircumstances of use so permit. Thus users of such systems are givengreat flexibility in application of the systems while company ororganization can maintain strict security controls. Certain of theteachings of this related Application are described in detailhereinafter in view of its relationship with the invention of thepresent Application.

BRIEF DESCRIPTION OF THE INVENTION

With the foregoing in mind, the present invention contemplates a newpersonal computer feature, which makes data stored in a personalcomputer system inaccessible if transported by an unauthorized person.In particular, the invention addresses the problem of removal of thecomputer from an area by a person without authorization to remove anddisables the computer in response to such removal. Indeed, the presentinvention responds to removal of a computer authorized for removal butwhich is being removed by a person not authorized for such removal orwho has not provided an personal identity code. For a preferredimplementation the computer can be made operative again by providing acorrect password.

A personal computer system of the type described above has a firstradiation responsive system that emits a radiation signal bearing acoded serial number upon being exposed to radiation having a predefinedcharacteristic. The personal identification number is required of theperson in the zone with the computer, either by key input or an encodedradio signal. Receivers in the control zone then trigger a computer todo a search referencing a list of serial numbers authorized for removalby individuals through such zone, which may, for example, be a doorwayto a computer room. If the serial number of the computer is notauthorized for the identified individual, a signal is sent to triggertransmission of radiation having a second predefined characteristic,different from the first characteristic, which causes a receiver in thecomputer to activate logic that disables the computer from completingpower-on setup, thereby making the computer inoperable.

The preferred new security feature renders the personal computer systeminoperable, if an unauthorized individual moves the computer systemthrough a control zone where it is exposed to radiation with apredefined characteristic. Thus, at least, certain data contained withinthe system components cannot be accessed by an unauthorized user in theevent that the system is transported through the control zone orcheckpoint.

BRIEF DESCRIPTION OF THE DRAWINGS

Some of the features of the invention having been stated, other featureswill appear as the description proceeds, when taken in connection withthe accompanying drawings, in which:

FIG. 1 is a perspective view of a personal computer system embodyingthis invention;

FIG. 2 is an exploded perspective view of certain elements of thepersonal computer of FIG. 1 including a chassis, a cover, and a planarboard and illustrating certain relationships among those elements andfurther including certain components related to the security feature ofthe present invention;

FIG. 3 is a schematic view of certain components of the personalcomputer of FIGS. 1 and 2;

FIGS. 4 and 5 are schematic representations of certain components of thepersonal computer of FIGS. 1 and 2 which are related to the securityfeatures of the prior art and to the security feature of the presentinvention;

FIG. 6 is an enlarged scale perspective view of certain componentsillustrated in FIGS. 4 and 5;

FIG. 7 is a view similar to FIG. 6 of certain optional components of thepersonal computer of FIGS. 1, 2, 4 and 5;

FIGS. 8a-8 c and 9 a-9 e are schematic flowcharts illustrating certainfunctions involved in the security options available in accordance withthe tamper evident security feature of the prior art which have beenmodified to include functions involved in the security feature of thepresent invention;

FIG. 10 is a simplified pictorial diagram of a control zone, indicatinga radiation field and a computer system prior to entering the radiationfield;

FIG. 11 is a simplified pictorial diagram of a control zone with akeypad for allowing a user to key in an identifier prior to passingthrough the control zone; and

FIG. 12 is a flowchart diagram showing logic for processingidentification signals according to the invention.

DETAILED DESCRIPTION OF INVENTION

While the present invention will be described more fully hereinafterwith reference to the accompanying drawings, in which a preferredembodiment of the present invention is shown, it is to be understood atthe outset of the description which follows that persons of skill in theappropriate arts may modify the invention here described while stillachieving the favorable results of this invention. Accordingly, thedescription which follows is to be understood as being a broad, teachingdisclosure directed to persons of skill in the appropriate arts, and notas limiting upon the present invention.

Certain defined terms may be used herein, as follows:

TRUSTED COMPUTING BASE (TCB): The totality of protection mechanismswithin a computer system—including hardware, firmware and software—thecombination of which is responsible for enforcing a security policy. ATCB consists of one or more components that together enforce a unifiedsecurity policy over a product or system. The ability of a TCB tocorrectly enforce a security policy depends solely on the mechanismswithin the TCB and on the correct input by system administrativepersonnel of parameters (e.g. a user's clearance) related to thesecurity policy.

TRUSTED SOFTWARE: The software portion of a Trusted Computing Base.

TRUSTED PROGRAM: A program included in Trusted Software.

OPEN PROGRAM: A program operable on a Trusted Computing Base and whichis other than a Trusted Program.

REFERENCE MONITOR CONCEPT: An access control concept that refers to anabstract machine that mediates all accesses to objects by subjects.

SECURITY KERNEL: The hardware, firmware and software elements of aTrusted Computing Base that implement the reference monitor concept. Itmust mediate all accesses, be protected from modification and beverifiable as correct.

TRUSTED COMPUTER SYSTEM: A system that employs sufficient hardware andsoftware integrity measures to allow its use for processingsimultaneously a range of sensitive or classified information.

SYSTEM OWNER: The system owner is the user who is responsible forconfiguring and placing a system in secure mode initially. The systemowner will control configuration both initially and whenever an updateneeds to be made. This person will control the Privileged AccessPassword and be responsible for maintaining its integrity. The systemowner will also maintain physical security of the tamper evident coverkeylock key. The system owner also will maintain a database of computersystem serial numbers and user identification numbers that are permittedto transport that computer. The system owner will be responsible formaintaining security logs on all systems. The system owner will alsohave to record all attempted security breaches. The system owner may ownmore than one system. The system owner is considered an authorized userand can also be a normal user.

SECURE MODE: When a system owner has successfully installed thePrivileged Access Password on a personal computer system to invokesecurity protection provided by the security and integrity elements.

AUTHORIZED USER: Any user who is given permission to use the PrivilegedAccess Password. This person may or may not be the system owner. Thisperson may also have a key for a particular system or a set of systems.If this person is involved in recovering a system from a securitybreach, they are responsible for reporting it to the system owner. Anauthorized user may also be a normal user.

NORMAL USER: Any user of a system authorized to use the systemfacilities. In order to change a system configuration or fix a problem,this user requires the assistance of either the system owner or anauthorized user. The normal user does not have the Privileged AccessPassword or the tamper evident cover keylock key unless they belong toeither the authorized user or system owner category.

UNAUTHORIZED USER: Any one not defined as a system owner, authorizeduser or normal user. Any use of a secured personal computer system by anunauthorized user is considered a security breach, other than anunsuccessful power on, and an audit trail must exist showing suchbreaches.

AUTHORIZED MOVE: Any movement a computer that has been previouslyauthorized by the system owner. The system owner permits a user(authorized or normal) to move a machine through a security checkpointwithout disabling the machine.

UNAUTHORIZED MOVE: Any movement of a computer that has not beenpreviously authorized by the system owner. Attempts to move machinethrough a security checkpoint will result in disabling the machine.

EEPROM: Electrically Erasable Programmable Read Only Memory. This memorytechnology provides for non-volatile storage of data that can be changedunder control of hardware logic. Contents of storage are not lost whenpower is absent. Contents may be altered only when the appropriatecontrol signals on the module are activated in the predefined sequence.

PASSWORD DESCRIPTION: The system has the potential to be protected bytwo passwords: 1. Privileged Access Password (PAP) and 2. Power OnPassword (POP). These passwords are intended to be used independently ofone another. The PAP is designed to provide protection for the systemowner by protecting the Initial Program Load (IPL) device boot list,access to the password utility, access system settings, or access to theSystem Partition in a Micro Channel Architecture (MCA) system. Theexistence of the PAP will be transparent to a normal user using the POP.The PAP will be installed, changed, or deleted by Power On Self Test(POST) or in the System Partition for MCA systems. The PAP, when set andentered correctly, will give the owner access to the entire system,overriding the POP. The POP, working as on all current IBM systems, isused to prevent any unauthorized access to the Operating System on theDASD or the facilities of the system.

Referring now more particularly to the accompanying drawings, amicrocomputer system embodying the present invention is there shown andgenerally indicated at 10 (FIG. 1). The computer system 10 may have anassociated monitor 11, keyboard 12 and printer or plotter 14. Thecomputer 10 has a cover 15 which cooperates with a chassis 19 indefining an enclosed, shielded volume for receiving data processing andstorage components for processing and storing digital data, as shown inFIG. 2. At least certain of the system components are mounted on a multilayer planar 20 (also commonly called a motherboard or system board)which is mounted on the chassis 19 and provides a means for mounting andelectrically interconnecting various components of the computer system10 including the CPU, system memory and accessory cards or boards as iswell known in the art. The chassis 19 has a base and a rear panel 16 anddefines at least one open bay 22 for receiving a data storage devicesuch as a disk drive 23.

At the rear panel 16 or other suitable area, according to one aspect ofthe invention, an antenna 109 is mounted to extend outside computer 10to collect radiation. The antenna 109 is intended to provide a signalindicating radiation in the vicinity of the computer system 10 and isconnected to a detector 110 which is tuned to trigger in response to aparticular radiation characteristic, such as a predefined frequency inan allowed radio frequency band.

When triggered detector 110 creates an alarm signal by setting a flagbit in a register 114 (see also FIG. 4) to the “on” state. As will bediscussed below (with reference to FIGS. 8a-c), this flag is tested bylogic in the set up sequence of the computer 10 and, when in the onstate, causes the setup logic to be diverted to require a password inputto permit the system 10 to become operative.

In a preferred but more complex implementation of the invention, thereis additionally provided a second antenna 150 which also collectsradiation external of the computer 10. The signal of antenna 150 isapplied to an electronic tag 154 which responds to radiation having asecond predefined characteristic to emit radiation, using an antenna152, that bears an encoded serial number. Such electronic tags are knownin the art and, for example, the Texas Instruments Capsule Series, 32 mmTransponder, P/N RI-TRP-RR2B may be used. Preferably the secondcharacteristic is a different allowed frequency in the radio band thanthe first frequency characteristic.

Prior to relating the above structure for the invention to the setuplogic of the computer, a summary of the operation in general of thecomputer system 10 will be reviewed. Referring to FIG. 3, there is showna block diagram of a personal computer system illustrating the variouscomponents of the computer system such as the system 10 in accordancewith the present invention, including components mounted on the planar20 and the connection of the planar to the I/O slots and other hardwareof the personal computer system. Connected to the planar is the systemprocessor 32. While any appropriate microprocessor can be used as theCPU 32, one suitable microprocessor is the Pentium which is sold byINTEL. The CPU 32 is connected by a high speed CPU local bus 34 to a businterface control unit 35, to volatile random access memory (RAM) 36here shown as Single Inline Memory Modules (SIMMs) and to BIOS ROM 38 inwhich is stored instructions for basic input/output operations to theCPU 32. The BIOS ROM 38 includes the BIOS that is used to interfacebetween the I/O devices and the operating system of the microprocessor32. Instructions stored in the BIOS ROM 38 can be copied into RAM 36 todecrease the execution time of BIOS. The system also has, as has becomeconventional, a circuit component which has battery backed non-volatilememory (conventionally CMOS RAM) for receiving and retaining dataregarding the system configuration and a real time clock (RTC) 68 (FIGS.3 and 4).

While the present invention is described hereinafter with particularreference to the system block diagram of FIG. 3, it is to be understoodat the outset of the description which follows that it is contemplatedthat the apparatus and methods in accordance with the present inventionmay be used with other hardware configurations of the planar board. Forexample, the expansion bus could be Industry Standard Architecture(ISA), Micro Channel Architecture, or Peripheral Connect Interface(PCI).

Returning now to FIG. 3, the CPU local bus 34 (comprising data, addressand control components) also provides for the connection of themicroprocessor 32 with a math coprocessor 39 and a Small ComputerSystems Interface (SCSI) controller 40. The SCSI controller 40 may, asis known to persons skilled in the arts of computer design andoperation, be connected or connectable with Read Only Memory (ROM) 41,RAM 42, and suitable internal or external devices of a variety of typesas facilitated by the I/O connection indicated to the right in theFigure. The SCSI controller 40 functions as a storage controller incontrolling storage memory devices such as fixed or removable mediaelectromagnetic storage devices (also known as hard and floppy diskdrives), electro-optical, tape and other storage devices.

The bus interface controller (BIC) 35 couples the CPU local bus 34 withan I/O bus 44. By means of the bus 44, the BIC 35 is coupled with anoptional feature bus such as a MICRO CHANNEL bus having a plurality ofI/O slots for receiving MICRO CHANNEL adapter cards 45 which may befurther connected to an I/O device or memory (not shown). The I/O bus 44includes address, data, and control components. Coupled along the I/Obus 44 are a variety of I/O components such as a video signal processor46 which is associated with video RAM (VRAM) for storing graphicinformation (indicated at 48) and for storing image information(indicated at 49). Video signals exchanged with the processor 46 may bepassed through a Digital to Analog Converter (DAC) 50 to a monitor orother display device. Provision is also made for connecting the VSP 46directly with what is here referred to as a natural image input/output,which may take the form of a video recorder/player, camera, etc. The I/Obus 44 is also coupled with a Digital Signal Processor (DSP) 51 whichhas associated instruction RAM 52 and data RAM 54 available to storesoftware instructions for the processing of signals by the DSP 51 anddata involved in such processing. The DSP 51 provides for processing ofaudio inputs and outputs by the provision of an audio controller 55, andfor handling of other signals by provision of an analog interfacecontroller 56. Lastly, the I/O bus 44 is coupled with an input/outputcontroller 58 with an associated Electrical Erasable Programmable ReadOnly Memory (EEPROM) 59 by which inputs and outputs are exchanged withconventional peripherals including floppy disk drives, a printer orplotter 14, keyboard 12, a mouse or pointing device (not shown), and bymeans of a serial port. The EEPROM plays a part in the securityprovisions described hereinafter.

In achieving certain objectives of securing a personal computer systemas described herein, the personal computer system 10 has an erasablememory element mounted within the system enclosure for selectiveactivation to active and inactive states and for receiving and storing aprivileged access password (defined more fully hereinafter) when in theactive state. The erasable memory element preferably is the electricallyerasable programmable read only memory device or EEPROM 59 (FIG. 3)described above. The system also has an option or security switchmounted within the enclosure and operatively connected with the erasablememory element 59 for setting that memory element to the active andinactive states. The option switch (also called security switch in thisdisclosure) may be, for example, a jumper mounted on the system planar20 and manually settable to two different states by a person havingaccess to the planar. In one state (also known as the write enablestate), the EEPROM 59 is set to be active and to store a PAP asdescribed herein. In the write enable state, the PAP may be written tothe EEPROM, changed or removed. In the other or inactive state, the PAPstorage capability of the EEPROM is set to be inactive.

As mentioned above, the system 10 also has a second component havingerasable memory capabilities, namely battery supported, non-volatileCMOS RAM and an associated real time clock (RTC), indicated at 68 inFIG. 4. The CMOS RAM stores data indicative of the system configurationincluding data regarding the successful entry of the PAP on power up ofthe system 10. At least one tamper detection switch (FIGS. 4, 5 and 6)is provided, mounted within the enclosure and operatively connected withthe CMOS RAM for detecting opening of the enclosure and for clearingcertain data stored in that memory element in response to any switchingof the tamper detection switch.

The system processor 32, in accordance with this invention, isoperatively connected with the EEPROM 59 and the CMOS RAM 68 andfunctions in part for controlling access to at least certain levels ofdata stored within the system by distinguishing between the active andinactive states of the PAP storage capability of the memory element andbetween entry and non-entry of any valid, stored privileged accesspassword (PAP). By manipulating the option switch, an operator (or morespecifically the person charged with supervising and maintaining thesecurity) of the system may select between secured operation of thesystem and unsecured operation of the system by selecting respectiveactive and inactive states of the EEPROM. If secured operation isdesired and to be effectuated, then the system owner must also enter aPAP.

As here disclosed, the system adapted for security concerns inaccordance with this invention has two separate non-volatile erasablememory elements—the EEPROM and the CMOS RAM. This is done, in part,because at the time of this invention, EEPROM have a limited life interms of the number of cycles of erasing and writing, while theindicators of the state of the PAP and the correct entry of the PAP, aswell as at least potentially the state of any unauthorized opening ofthe system enclosure, may need to be erased and written a large numberof times. Thus the functions described herein have been separated intofirst and second erasable memory elements in order to adapt to presentlyavailable technology. However, it is contemplated that the two forms ofrelated data may be stored in a single erasable memory element whereeither technology so permits or a system designer is willing to acceptthe limitations that follow.

FIG. 4 illustrates certain relationships among the conventional powercontrol or “on/off” switch 61, the conventional power supply 62,switches which change conductive state in response to opening or removalof enclosure covers such as the main cover 15 and the cable connectioncover 16, and a keylock switch 64. The switches which change state onopening or removal of enclosure covers are, as illustrated, two innumber; namely a switch 65 (FIGS. 4, 5 and 6) responsive to removal ofthe main cover 15 and a switch 66 (FIGS. 4, 5 and 7) responsive toremoval of the cable connection cover 16. Each switch has twocomponents, one normally open (65 a and 66 a, respectively) and onenormally closed (65 b and 66 b, respectively). The second switch 66 isoptional, as is the cable connection cover 16. However, as will be clearfrom a thoughtful consideration of the disclosure here made, thepresence of the optional cover and switch assures more complete securitycontrol over the system.

The normally open contact sets of the cover switches 65 and 66 areconnected in series with the main power switch 61 and to the powersupply 62 (FIG. 4). As a consequence, if an attempt is made to “powerup” the system 10 with the covers removed, the contact sets 65 a and 66a will be open and prevent system operation. With the covers in place,the contact sets are held closed and normal system operation may beinitiated.

The normally closed contact sets of the cover switches 65 and 66 areconnected in series with the keylock switch 64 and to the RTC and CMOSmemory 68. The normally closed contact sets 65 b and 66 b are held openby the presence of the covers 15, 16 and will close on the removal ofthose covers. The keylock switch 64 is normally held closed on lockingof the enclosure lock which is conventionally supplied on the computersystem 10. These three contact sets provide an alternate path to groundfor current otherwise energizing portions of the RTC and CMOS memory,and have the effect of setting a register 114 of that memory to adistinctive state (such as all “1”s) if energization is lost, as uponunauthorized removal of a cover while the system is in an enclosurelocked state. As that segment in memory is checked by POST, setting thatsegment to a distinctive state will result in a configuration errorsignal being generated which will alert a system owner that an attempt(successful or otherwise) has been made to breach system security.

In accordance with the present invention, the radiation detector 110(see FIG. 2) is connected through a transistor 108 to a transistor 106which responds to the alarm signal to set the alarm flag at a register114 which is preferably a segment of CMOS RAM 68. The polling loop logicfor testing the register 114 is show in FIG. 8a. This signal stored atregister 114 is tested by the security logic as will be described morespecifically with reference to FIG. 8c and if the register has been setwill require entry of a correct password to complete the power-upsequence (see the diagrammatic representation of this logic at FIG. 8c).

The keylock switch 64 and main enclosure cover switch 65 are preferablymounted on a front card guide member 69 (FIGS. 2 and 6) so as to beappropriately positioned relative to the lock provided in the mainenclosure cover 15. The front card guide member is mounted in thecomputer system frame is such a position that an actuating lever 70 forthe cover switch 65 protrudes through an opening in an upright frontframe member, to be actuated by the cover 15 when present and positionedto close the system enclosure.

The cable cover switch 66 is preferably mounted on the rear panel of thesystem frame, positioned to be actuated by a latch member mounted on thecable cover 16 and rotatable under the control of a manually operablekeylock similar to that provided on the enclosure cover 15. When theoptional cable cover 16 is used (as will be the case where full securityof the system is desired or required), latching or locking of the coverto the rear panel causes the latch member to close the associatednormally open contact set 66 a and open the normally closed contact set66 b.

The security and integrity features described above and hereinafter workindependently of a previously offered personal computer securityfeature, the Power on Password (POP). These additional security andintegrity features provide a secure platform for operating systemcertification under applicable regulations such as the Orange Book. Anadditional password is required to place the system in secure mode. Thepassword is here referred to as the Privileged Access Password (PAP). Tomaintain compatibility with previous personal computer systems, the POPis still supported. This description so far deals with the security andintegrity features as they relate to POST and the password utilityexecuting on a personal computer system with an EEPROM, option switch,and tamper evident covers.

Password Security is implemented by system hardware features; an EEPROM,a security switch and a tamper evident cover switch, firmware, POST andthe system software password utility. Once the PAP has been installed,the system is in secure mode. The PAP is saved in the EEPROM. A backupcopy of the PAP is also maintained in the EEPROM. This is done toprevent accidental loss of the PAP when a power failure occurs duringthe installation, change, or removal of the PAP. The POP and at leastcertain bits indicative of the validity of the PAP (if installed) arestored in the CMOS RTC. Changes in data retained in the CMOS RTC and inthe EEPROM are independent one from the other.

Two bits in the EEPROM are used as a state machine that lets POST knowexactly where a power outage occurred in the update sequence and, ifpossible, recover from a system board replacement situation. Thepassword utility maintains the update indicator field, a two bit statemachine used during any access to the PAP. If a power outage occurredduring the password modification, when power is restored POST checks thestate machine (POST actually checks the state machine on all power ups.)If the PAP is updated successfully (a ‘00’ state), POST proceeds in thenormal manner. If the update has started before power is lost (a ‘01’state), POST will check for the presence of a valid backup PAP. Ifvalid, POST copies the backup PAP into the storage for the primary PAP.If the primary PAP has been updated successfully (a ‘10’ state), POSTwill use the primary PAP (the new PAP) to validate any attempts to usethe system reference diskette or boot the system partition. POST willassume the backup PAP is invalid. POST will copy the primary PAP to thebackup PAP in this case. If the option or security switch is not in theunlocked or write enable position an error will be displayed. The systemowner will have to intervene by unlocking the covers and changing theposition of the security switch.

If the backup PAP has been updated successfully (a ‘11’ state), both theprimary and backup PAP are considered valid and POST will verify thevalidity of the Primary PAP, prior to confirming the entry of the PAP bythe user.

As mentioned above, the POP is maintained in CMOS memory. Two bits willbe maintained in CMOS memory for use as password indicators for the PAP.One indicator is used to signify that the system is in secure mode (PAPinstalled). The second indicator is to signify that the PAP was enteredduring the initial power on, cold boot. These two indicators will beinitialized and set at a cold boot only. Prior to IPL, the indicatorswill be write protected unless the system reference diskette or systempartition is booted, which requires the successful entry of anyinstalled PAP. Changes in the POP and in the indicators are independentof any changes in the PAP stored in the EEPROM. However, changes in theCMOS memory can indicate security violations that require entry of avalid PAP for recovery permitting the loading of an operating system.

To prevent any unauthorized access to the passwords, the IPL device bootlist, the EEPROM CRC, and all the indicators will be locked prior toInitial Program Load (IPL) booting an operating system. To lock outthese areas, POST will set special hardware latches that cannot be resetunless the system is powered off. At the beginning of POST Stage I(initial power on), POST will check to see if the EEPROM is locked. Ifit is locked, POST will display an error and halt the system because thehardware is not functional. The system owner will need to intervene toremedy the situation, which might require that the system board bereplaced. In one form, when the system has been tampered with, the first14 bytes of RAM storage in CMOS associated with the RTC and controlregisters are unaffected. The remaining segment of CMOS is set to all“one's” (binary value 1) as briefly described above. Upon detecting thiscondition, POST displays an appropriate error. In another form, aslittle as a single bit may be set to a state indicative of tampering. Ineither instance, the system owner/authorized user will need to interveneto remedy the situation which might require entry of the PAP at thepassword prompt to boot from the system reference diskette or the systempartition or that the system board be re-configured.

If the system owner forgets the PAP, the system board(s) affected willneed to be replaced. If the POP is forgotten, the system owner can openthe covers and toggle another switch on the system board to destroy thecontents of the POP in CMOS, and then enter the PAP (if installed) toaccess the password utility, to reinstall the POP.

When a system has been powered on with a valid PAP installed (Securemode) but no POP installed, POST will verify the PAP checksum. If thechecksum is good, POST will prompt the user to enter the PAP if the userattempts to enter setup. Otherwise, POST will not prompt for a passwordand the POP, the PAP, the backup PAP, the IPL device boot list, theEEPROM CRC, and all the indicators will be locked to prevent any access.If the PAP checksum is bad, an error is displayed and the system ishalted. This is to prevent a condition where POST could accidentallygive unprotected access to a user to a system which was previously insecure mode when the EEPROM failed. The system owner will need tointervene to remedy the situation which might require that the systemboard be replaced.

When the system has been powered on with both a valid PAP and a validPOP installed, POST will prompt the user to enter a password. If the POPis entered, POST will boot from the existing IPL device list. If the PAPis entered at the prompt rather than the POP, the user can enter setup.

Flowchart logic for the scenarios just described are included withinFIGS. 8a-8 c and 9 a-9 e, where links between certain steps areindicated by process blocks occupied by single letter designations inorder to simplify the charting.

In conjunction with the POST changes, the password utility must includesupport for the PAP. The utility will support installing, changing andremoving a PAP, and will interlock these three functions with theposition of the option or security switch. The security switch shouldremain in the locked position until an authorized user wishes to set thePAP. At that time, the user should remove the system covers and move thesecurity switch to the unlocked (change) position; then the PAP can beset. When the security switch is placed in the unlocked position,hardware logic external to the EEPROM allows the storing of the PAP intothe EEPROM. When the security switch is placed in the locked position,external hardware logic prevents any changes to the PAP locations in theEEPROM. Appropriate messages will appear if the authorized user attemptsto modify the PAP when the security switch is in the locked position.Also, messages will remind the user to return the security switch to thelocked position after the PAP is removed. An additional safety featureis built into the password utility that prohibits the authorized userfrom setting the PAP equal to the POP. Checks will be made when settingor changing the PAP to ensure that the new PAP does not equal thecurrent POP of the system. Also, when changing or removing the PAP, thecurrent PAP must be known.

It is contemplated that a personal computer system will initially beshipped with the security switch in the locked position and the tamperevident cover locked. This is done to prevent any person other than thesystem owner from setting the system into secure mode. Unlike the POP,the PAP cannot be erased through hardware manipulation. If the PAP isforgotten or an unauthorized user places the system into secure mode,the system board must be replaced.

The memory elements, switches and their interconnections describedherein are referred to in this description as “security featureelements,” reflecting that the components named are elements of thecomputer system which specifically enable the security featuresdescribed.

As will be understood, a personal computer system having the securitycapabilities described herein will be subject to attack by unauthorizedusers seeking to circumvent the security provisions described. Oneanticipatable form of attack will be a simple physical attack throughopenings defined in the enclosure provided by the cover 15 and chassis19. Such openings are provided, for example, for the flow of cooling airthrough the enclosure; for the insertion and removal of floppy discs andother digital signal storage media; for the attachment of cables and thelike; and even for the attachment (during manufacture or thereafter) offixtures and accessories to be bolted or screwed in place. Any suchopening may present an opportunity for the insertion of a probe by anunauthorized user seeking to avoid the security features described.Thus, a knowledgeable attacker might seek to erase the PAP or POP fromthe memory elements in which that data is stored, or seek to supplypower in a way which would defeat the interlock switch arrangementsdescribed.

The resolution of protection against such attacks is to mount the memoryelements and switches disposed within the computer system enclosure atlocations inaccessible to any unauthorized user of the personal computersystem attempting to affect the operation of any one of the memoryelements and switches by insertion of a probe through an opening. Theopening probed may be a ventilation opening for the passage of coolingair or, with ingenuity on the part of the attacker, any other one of thevarious openings described above. The probe may be a simple mechanicaldevice such as a bent paper clip, or some more sophisticated deviceconfigured specifically to reach a security feature element such asthose described or to emit some form of energy (electrical, sonic,radiation) which would so disrupt the normal operation of the securityfeature element as to permit an unauthorized user to gain access tootherwise protected data.

Security feature elements as described above can be protected againstprobing attack of the types described by being positioned either at suchdistances from enclosure openings as to defeat mechanical probing attackor at positions shielded by other computer elements which are of anon-sensitive nature. Signal pathways connecting security featureelements and possibly carrying digital signals related to securityfunctions may be protected against attack by being placed in theinterior of multiple layer printed circuit boards. Openings defined inthe computer enclosure may be configured to restrict or preventattacking access, as by being configured as tortuous passageways orbeing occluded by non-sensitive elements.

Again referring to FIG. 4, connection of battery voltage or groundpotential to the CMOS RAM 68 depends upon the state of the field effecttransistors 106 and 108. When transistor 106 is off, the securityfeature is not enabled, and battery voltage is always applied to theregister 114 of CMOS RAM 68. When the system owner enables the securityfeatures the transistor 106 is turned on, by an en_dect signal appliedto the input 107 of transistor 106. When antenna 109 passes through thecontrol zone where the first frequency is being transmitted (see alsoFIGS. 2 and 10), detector 1 10, triggered by the antenna 109, signalstransistor 108 to turn on and with transistor 106 also on (securityenabled), ground or low potential is applied to set the alarm flag atthe register 114 of the CMOS RAM 68. But if radiation with the firstcharacteristic is not present, battery voltage continues to be appliedat register 114 of the CMOS RAM 68 since transistor 108 is blocking.

Preferably the register 114 is located in the same storage segment ofthe CMOS RAM 68 as the registers which are set by the tamper evidentswitches 65 b, 66 b when a cover is removed from the system. Thus, bothunauthorized passage of the computer system through a control zone whenthis radiation triggered feature is enabled and unauthorized removal ofa cover while the tamper evident feature is enabled both result in thesame configuration error and are thereafter handled by the system in thesame manner during subsequent power-off, power-on procedures as setforth above with respect to the prior art security feature of therelated application, Ser. No. 07/889,325. Accordingly, one bit in thepreselected segment of the storage 68 is designated as a register toindicate activation of the cover tampering switches 65, 66 with thefeature enabled, and a second bit of the segment is for radiationdetected flag bit to indicate activation of transistor 108 with thefeature enabled. The switches 65, 66 and transistor 108 set these bitsto “1”s when they are activated as shown in FIG. 4.

During a power-on after a power-off, POST determines whether or not theradiation detected flag has been set to “1” by the transistor 108 andprompts for a password (PAP). The power-on logic then only reestablishessystem operation upon the successful entry of the PAP, i.e. permitsbooting of the Operating System from RAM storage 23 (FIG. 2).

At the next power-up from a power-off state, POST will check to see ifradiation detection is enabled and if the detection mechanism has beenactivated. If both conditions are met, POST will prompt for the PAP.After three attempts of incorrectly entering the PAP, POST will disablethe system. In order to reactivate the system, it is necessary topower-off the system and then power it on to obtain the prompt for thePAP. Until the PAP is correctly entered, the system will not boot andthus renders the system inactive. POST will render the system inactiveafter three unsuccessful attempts at correctly entering the PAP in asingle power-on session. A power-off and power-on cycle is requiredprior to being allowed to enter the PAP once-again. If this conditionexists, it requires that the user return the system to either the systemowner or an authorized user to be re-activated unless the user hasknowledge of the PAP.

The systems which include the capability to detect radiation with apredefined characteristic, a register 114 is set upon detection of theradiation. The power-on logic tests this register 114 to determine ifsecurity has been breached. If so, the normal power-on sequence isdiverted but can be resumed, in a preferred implementation, by enteringa correct password. Otherwise, the sequence is halted.

As preferred for the present invention (see FIG. 10), radiation normallyapplied to the control zone 500 by a transmitter and antenna 501 has asecond characteristic. That second characteristic triggers an electronictag 154 to emit a signal bearing an encoded serial number. An antenna502 at the control zone 500 collects the coded signal and applies it toa detector 503 that supplies the serial number to a table-look-upcomputer 506. The radiation applied by antenna 501 also triggers anelectronic tag 522, if carried by user 520, to emit a signal bearing anencoded personal ID code. An antenna 502 at the control zone 500collects the personal ID code and applies it to a detector 503 thatsupplies such number to a table-look-up computer 506. The computer 506searches for a match with a list of codes in its storage 508 anddetermines if user 520 is authorized to transport system 10 through thecheckpoint. If no authorization is found a security signal is sent to atransmitter 510 which floods the control zone with radiation having thefirst characteristic to cause the computer system 10 to set the alarmflag as discussed above.

FIG. 11 illustrates a second method to provide a personal ID to computer506. Located near the checkpoint 500 is located a keypad 530 forentering personal ID numbers or pass codes. If the user 520 enters aidentification or pass code on keypad 530, system 506 can use thatinformation to identify user 520 in place of badge 522. This methodprovides the same level of protection as the first method (described atFIG. 10) but does not require authorized users to also have electronicbadges.

One complication with this type of checkpoint or control zone 500 isthat the personal ID and system ID may occur simultaneously resulting ina “collision”. The RFID tags currently available on the market doinclude logic to overcome conflicting transmissions. When a collisionoccurs the tags each delay a respective randomized time beforeretransmitting to avoid a repeat collision A further complication withthis type of checkpoint or control zone 500 is that the order in whichthe personal ID and system ID are received may vary and there may not bea personal ID received at all. To overcome the problem of reconcilingthe received signals to trigger a disabling command, if appropriate,requires customized logic, which is preferably implemented by computer506 performing logic operations as described below.

FIG. 12 indicates logic, in flow chart form for reconciling the incomingidentification signals and determining if a computer being removed by aperson unauthorized to do so. After starting (operation 600) the logicmoves to operation 602 and enters a loop waiting for an incoming signalfrom keypad 530 (FIG. 11) or RFID tags 154 (FIG. 2) or 522 (FIG. 10). Aninput identification signal is tested (operation 604) to determine if itcorresponds to a system or a person .

If a person ID control transfers to store operation 610 and a predefinedtimed wait period begins (operation 618) to wait for a next incomingcode. If no code arrives during the wait period the logic returns tooperation 602 as no system 10 is passing through the control zone 500.If during the wait period a code is received it is checked (operation620). Should the code be a personal code it is stored at operation 610.On the other hand, if the code is for a system, control is transferredto operation 616 where the personal code and system code are comparedusing a predefined lookup table (preferably stored in computer 506) fora match. If the match fails a disable system command is initiated(operation 608). The system is reset if a match is found and nodisablement occurs.

Returning to operation 604, for a system ID control transfers tooperation 606 to check for a universal ID (anyone may remove suchsystem) and transfers to reset if a match to a universal ID occurs. Ifnot a universal ID, control transfers to operation 612 to store the ID.Control is then transferred from operation 612 to loop operation 614which is exited to operation 616 (discussed above) if a code arrivesbefore a predefined wait period . If loop operation 614 times out, asystem disable signal is sent (operation 608) as this is a removal withno personal ID being presented.

The instant invention has been shown and described herein in what isconsidered to be the most practical and preferred embodiment. It isrecognized, however, that departures may be made therefrom within thescope of the invention and that obvious modifications will occur to aperson skilled in the art that are within the scope and spirit of theclaimed invention. For example, the distinctive characteristic of theradiation used at the control zone may be frequency itself or may be apredefined code pattern on a carrier frequency.

What is claimed is:
 1. A security system comprising: a radiationtransmitter at a control zone exposing said control zone to radiationhaving a second distinctive characteristic; at least one computer systemhaving start up logic that on energization sequences the computer systemthrough a process to become operational and includes an identifierdevice that detects radiation having said second distinctivecharacteristic and responsively emits radiation bearing a respectiveencoded system identifier signal; identification apparatus for sending apersonal identifier signal; a receiver near said control zone responsiveto said system identifier signal including checking logic which performsa search on a predefined list of identifiers to determine if thereceived system identifier is listed and corresponds to the personalidentifier, said receiver producing an alarm signal if no such match isfound; a transmitter responsive to the alarm signal to emit radiationhaving a first distinctive characteristic into the control zone; areceiver mounted in said computer system which is responsive toradiation having said first distinctive characteristic to produce adisable signal; and security logic cooperating with said start-up logicand responsive to said disable signal to disable said start-up logicfrom making said computer system operative.
 2. A security systemaccording to claim 1 wherein said radiation is a radio frequency signaland the distinctive characteristic is the frequency of the radiation. 3.A security system according to claim 1 which further includes passwordchecking logic, a display device and a user operable input device andwherein said password checking logic prompts the user for a password ifan alarm signal is present and disables said security logic frompreventing said electronic computing apparatus from becoming operativeif the correct password is asserted at said input device.
 4. A securitysystem according to claim 1 where one said identification apparatus isan employee badge with a radiation activated tag.
 5. A security systemaccording to claim 1 where one said identification apparatus is a keypadat the control zone coupled to the receiver.
 6. A security systemaccording to claim 1 where said checking logic, for a selected set ofuniversal system identifiers, produces no disable signal.
 7. Acheckpoint apparatus for automatically disabling computer systemspassing through a control zone which have a tag responsive to aradiation with a distinctive characteristic to trigger radiation of acoded system identification signal and radiation activated disablinglogic , said checkpoint apparatus comprising: a radiation device forflooding the control zone with radiation having the distinctivecharacteristic; a receiver for receiving a coded system identificationsignal and a coded personal identification signal input by a person inthe control zone; checking logic including a storage with a predefinedidentification signal table which is coupled for receiving the personaland system identification signals from the receiver and compares signalsarriving within a preselected time period for a match and if none iffound triggers a transmitter to send a disabling signal whereby thedisabling logic of a computer system in the control zone would betriggered.
 8. A checkpoint apparatus according to claim 7 where personalidentification signal is transmitted by is an employee badge with aradiation activated tag.
 9. A checkpoint apparatus according to claim 7which includes a keypad which provides the personal identificationsignal in response to actuation by a person.
 10. A checkpoint apparatusaccording to claim 7 wherein the distinctive radiation characteristic isfrequency.
 11. A checkpoint apparatus according to claim 7 wherein thedistinctive radiation characteristic is a distinctive code on a carrierfrequency.
 12. A security system according to claim 1 wherein thedistinctive radiation characteristic is a distinctive code on a carrierfrequency.